<!DOCTYPE html>
<html>

<head>
	<meta charset="utf-8">
	<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
	<meta name="theme-color" content="#33474d">
	<title>CentOS 7 下使用iptables | 失落的乐章</title>
	<link rel="stylesheet" href="/css/style.css" />
	
      <link rel="alternate" href="/atom.xml" title="失落的乐章" type="application/atom+xml">
    
</head>

<body>

	<header class="header">
		<nav class="header__nav">
			
				<a href="/archives" class="header__link">Archive</a>
			
				<a href="/tags" class="header__link">Tags</a>
			
				<a href="/atom.xml" class="header__link">RSS</a>
			
		</nav>
		<h1 class="header__title"><a href="/">失落的乐章</a></h1>
		<h2 class="header__subtitle">技术面前，永远都是学生。</h2>
	</header>

	<main>
		<article>
	
		<h1>CentOS 7 下使用iptables</h1>
	
	<div class="article__infos">
		<span class="article__date">2017-10-12</span><br />
		
		
			<span class="article__tags">
			  	<a class="article__tag-link" href="/tags/Linux/">Linux</a>
			</span>
		
	</div>

	

	
		<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;系统升级到CentOS 7后总感觉iptables怪怪的,比如不管怎么保存重启后都被初始化一下,即便我最后发大绝招启动时候加命令:</p>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;首先iptables-save &gt; /etc/iptables.rules保存当前状态。</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">[root@openstack1 ~]<span class="comment"># iptables-save &gt; /etc/iptables.rules</span></div></pre></td></tr></table></figure>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;然后再在/etc/rc.local中强制加上</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">iptables-restore/etc/iptables.rules</div></pre></td></tr></table></figure>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;重启后虽然规则生效但仔细看规则还是一些被莫名添加的额外的内容，让人很是不爽。</p>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;仔细一google,发现问题之所在了。RedHat在7中更改了系统软件，不再使用iptables作为系统的防火墙，而是使用了FirewallD,但是为了兼容过去的命令也可以使用iptables来设置防护规则，但启动的时候自搞了一套。</p>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;解决方法也很简单:</p>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;首先，可以考虑follow官方的想法转用FirewallD 。其实查看一些官方文档也能用。</p>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;但是，个人觉得若没有显著的提升也可以继续使用原来的iptables.若打算继续使用iptables,可以继续做如下:</p>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;备份当前规则</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">[root@openstack1 ~]<span class="comment"># iptables-save &gt; iptables.rules</span></div></pre></td></tr></table></figure>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;禁用FireWallD,安装&amp;启用iptables-services</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line">[root@openstack1 ~]<span class="comment"># systemctl stop firewalld</span></div><div class="line">[root@openstack1 ~]<span class="comment"># systemctl mask firewalld</span></div><div class="line">Created symlink from /etc/systemd/system/firewalld.service to /dev/null.</div><div class="line">[root@openstack1 ~]<span class="comment"># yum install -y iptables-services</span></div><div class="line">[root@openstack1 ~]<span class="comment"># systemctl enable iptables</span></div></pre></td></tr></table></figure>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;mask是比disable 更强劲的禁用</p>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;为了让/etc/init.d/iptables save 这条命令生效，需要这么做</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">[root@openstack1 ~]<span class="comment"># cp /usr/libexec/iptables/iptables.init /etc/init.d/iptables</span></div></pre></td></tr></table></figure>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;而chkconfig iptables 命令会自动重定向到sytemctl enable iptables</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">[root@openstack1 ~]<span class="comment"># chkconfig ipatbles</span></div></pre></td></tr></table></figure>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;这时候检查iptables发现规则被清空了</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div></pre></td><td class="code"><pre><div class="line">[root@openstack1 ~]<span class="comment"># iptables -nxL</span></div><div class="line">Chain INPUT (policy ACCEPT)</div><div class="line">target   prot   opt   <span class="built_in">source</span>   destination </div><div class="line"></div><div class="line">Chain FORWARD (policy ACCEPT)</div><div class="line">target   prot   opt   <span class="built_in">source</span>   destination </div><div class="line"></div><div class="line">Chain OUTPUT (policy ACCEPT)</div><div class="line">target   prot   opt   <span class="built_in">source</span>   destination</div></pre></td></tr></table></figure>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;将备份的规则还原</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">[root@openstack1 ~]<span class="comment"># iptables-restore iptables.rules</span></div></pre></td></tr></table></figure>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;保存当前规则</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line">[root@openstack1 ~]<span class="comment"># /usr/libexec/iptables/iptables.init save</span></div><div class="line">iptables: Saving firewall rules to /etc/sysconfig/iptables:[ 确定 ]</div></pre></td></tr></table></figure>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;若使用minimize版本的安装，可能会出现提示</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">iptables: Saving firewall rules to /etc/sysconfig/iptables: /etc/init.d/iptables: line 274: restorecon: <span class="built_in">command</span> not found</div></pre></td></tr></table></figure>
<p>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;这是因为selinux没有安装的缘故，缺少一个组件。安装policycoreutils即可。</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">[root@openstack1 ~]<span class="comment"># yum install -y policycoreutils</span></div></pre></td></tr></table></figure>

	

	
		<span class="different-posts"><a href="/2017/10/12/1. Linux 基础/69. CentOS 7 下使用iptables/" onclick="window.history.go(-1); return false;">⬅️ Go back </a></span>

	

</article>

	</main>

	<footer class="footer">
	<div class="footer-content">
		
	      <div class="footer__element">
	<p>Hi there, <br />welcome to my Blog glad you found it. Have a look around, will you?</p>
</div>

	    
	      <div class="footer__element">
	<h5>Check out</h5>
	<ul class="footer-links">
		<li class="footer-links__link"><a href="/archives">Archive</a></li>
		
		  <li class="footer-links__link"><a href="/atom.xml">RSS</a></li>
	    
		<li class="footer-links__link"><a href="/about">about page</a></li>
		<li class="footer-links__link"><a href="/tags">Tags</a></li>
		<li class="footer-links__link"><a href="/categories">Categories</a></li>
	</ul>
</div>

	    

		<div class="footer-credit">
			<span>© 2017 失落的乐章 | Powered by <a href="https://hexo.io/">Hexo</a> | Theme <a href="https://github.com/HoverBaum/meilidu-hexo">MeiliDu</a></span>
		</div>

	</div>


</footer>



</body>

</html>
